New SOA Software Security Features Prevent Growing API Attacks

SOA Software has announced new security features to enable advanced identity management and authentication as well as threat protection as part of their API Gateway service. Speaking with ProgrammableWeb, VP of Marketing Sachin Agarwal said the new suite of security features "is an extremely big release for us."

"We have seen a shift in the business awareness of APIs," said Agarwal. "For the past several years, it was all about raising awareness of the benefits of APIs. Since the end of last year, this conversation has shifted from API awareness to the operational aspects of APIs -- How do we manage the change to a business that comes from using APIs? How do we scale an API?... Naturally, much of the focus now is on how to secure your APIs and how to make the developer experience seamless."

As more businesses take up APIs to drive service delivery and communications, the security risks also increase. Agarwal sees businesses that are recognizing that security breaches of a business' API has long-ranging impacts: "It is not only your API that is affected but the entire brand of your business."

"What we have seen is that the hackers are always a step ahead, always trying to find vulnerabilities in the Web. As enterprises are increasingly using APIs, they are targeted more. There is often a limited programmable interface for a Web app. For example, a Web form might just let you add your contact details and update that. But if you use an API, you might have hackers trying to do things like add fields to your database, creating unexpected results."

Agarwal and Roberto Medrano, executive VP at SOA Software, point to the Snapchat API security breach in January as a demonstration of the sort of security impacts facing many businesses embarking on an API strategy.

"What happens is that because of the urgency of the business to get started with an API, and the lack of knowledge about using APIs, preventive measures and best practice get left out. One problem Snapchat had was that they didn't have rate limiting, which could have helped prevent some of their security risk. Their second problem was the exposure of their API key; there were no attempts to mask the API key, so it was essentially open. The third problem was in the setting of HTTP parameters: This can make the back-end system misbehave if someone is parameter stuffing."

Agarwal explains that hackers can use a variety of techniques to create confusion for the back-end systems by overloading API requests in a way that the business data architecture doesn't understand. One of these is by parameter stuffing so including GET calls with a lot of additional parameters included are aimed at throwing a system awry. Another technique that is used along these lines is SQL injection, in which SQL or XPath queries are included in API calls to get a business' databases to start doing unexpected and complex operations.

"If these queries are not handled properly by your back end, then it can cause problems like forcing memory overflow; this lets hackers get into your RAM, and they can rewrite your RAM from there," Agarwal warned.

One of the most common security threats is a denial of service (DoS) that can be created by bombarding an API with calls. One feature of the new API Gateway security measures that SOA Software provides enables businesses to establish on-premise or in-cloud "DMZ-as-a-service" to act as the first row of defense against DoS.

"Our threat protection features are available on premise and can be installed behind the firewall or in the cloud," Agarwal said. "When there is a DoS attack, it can take out a whole server. So if you have threat protection running on the cloud, you can effectively have our infrastructure handle the DoS. We find a lot of businesses are doing both: They have something in the cloud as the first line of defense and then something behind the firewall. So you might have a consumer-facing API with social login for end customers and that API gateway infrastructure can be entirely in the cloud. Then many of our business customers have their customer credentials behind their firewall, so our API Gateway infrastructure is also in their DMZ to manage DoS threats there."

In addition to the threat-protection features, the new security features from SOA Software include:

Authentication and Authorization: "We have an OAuth server so that as API calls come with an OAuth token, we can validate that identity. We can integrate with a variety of identity and authentication schemes; we can do all that," said Agarwal.

Transport and Message-Level Security: These features provide a type of encryption service to manage client data as it is moved through the communication workflow.

Advanced Scripting: "A lot of our enterprise customers want to do their own custom code, and then they can inject that into our gateway services without redeploying and recompiling code on the server side," said Agarwal.

Wide Support of Security Standards: The new features provide support for a wide range of standards, including OAuth, SAML, LDAP, and SSL client authentication (among many others).

PCI DSS 2.0 Compliant: The new features continue to ensure that SOA Software can provide API providers with a network that is fully PCI DSS compliant. This enables API providers to transact payments via API and comply with industry requirements to store customer credit card data, as an example.

SOA Software launched the new security features at the RSA Conference in San Francisco this week.

By Mark Boyd. Mark is a freelance writer focusing on how we use technology to connect and interact. He writes regularly about API business models, open data, smart cities, Quantified Self, and e-commerce. He can be contacted via e-mail, on Twitter, or on Google+.

About the author:Mark Boyd
is a ProgrammableWeb writer covering breaking news, API business strategies and models, open data, and smart cities.

Comments(1)

Great aticle Mark. In-cloud "DMZ-as-a-service" is already a bit of outdated terminology. "Cloud DMZ" sums it up, and as of today (Feb/2015) it's standard IBM speak for the service. There are also several companies launching products on the name. Thanks for the great review!

Today in APIsLatest news about the API economy and newest APIs, delivered daily: